Critical n8n Vulnerabilities Enabling RCE and Sandbox Escapes
Government cyber agencies in Belgium and Canada warned that n8n released security updates to address multiple critical vulnerabilities that could allow attackers to compromise workflow automation instances, particularly those exposed to the internet. The advisories emphasize that n8n often orchestrates actions across interconnected systems, increasing blast radius if compromised, and urge administrators to patch immediately to protect confidentiality, integrity, and availability.
The Belgian CCB advisory highlights three critical CVEs—CVE-2026-27495, CVE-2026-27577, and CVE-2026-27497 (each scored CVSS 9.4) affecting n8n versions prior to 2.10.1 / 2.9.3 / 1.123.22, including issues mapped to CWE-94 (code injection) and CWE-89 (SQL injection). It describes sandbox escape leading to arbitrary code execution in the JavaScript Task Runner (notably impacting the default internal Task Runner mode) and abuse of crafted workflow expressions by authenticated users with workflow modification permissions; Canada’s Cyber Centre advisory (AV26-176) additionally enumerates impacted components and attack classes including RCE via Merge Node, expression sandbox escape to RCE, JavaScript Task Runner sandbox escape, unauthenticated expression evaluation via Form Node, and stored XSS across multiple nodes, directing organizations to apply n8n’s upstream fixes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
18 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose three critical n8n node flaws enabling chained RCE
Researchers disclosed three critical n8n vulnerabilities—CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791—affecting the HTTP Request, Git, and XML nodes that low-privileged authenticated users with workflow editing rights could chain to achieve remote code execution. The issues were fixed in versions 1.123.43, 2.20.7, and 2.22.1 and later, with organizations urged to upgrade immediately because no complete workaround exists.
Canada issues advisory on May n8n security updates
On 2026-05-13, the Canadian Centre for Cyber Security published advisory AV26-459 covering newly released n8n security advisories for multiple critical vulnerabilities. The advisory said affected areas included Pagination Prototype Pollution, Dynamic Credential OAuth Endpoints, Source Control, XML Node Prototype Pollution, and Git Node, and urged users and administrators to review and apply updates.
Canada issues advisory on April n8n security updates
On 2026-04-22, the Canadian Centre for Cyber Security published advisory AV26-379 covering newly released n8n security advisories for multiple vulnerabilities, including some rated critical. The advisory said affected areas included MCP Client Registration, dynamic-node-parameters, XML Node Prototype Pollution, XML Webhook, SQL Mode of Merge Node, MCP OAuth client, and Python Task Runner, and urged users to review and apply updates.
Canada issues advisory on new n8n security updates
On 2026-03-25, the Canadian Centre for Cyber Security published advisory AV26-278 covering newly released n8n security updates for multiple components and editions, including the Merge Node, Community Edition, Binary Data Inline HTML Rendering, GSuiteAdmin Node, and Form Trigger/Chat Trigger Nodes. The advisory urged users and administrators to review n8n's security information and apply the necessary updates.
Pillar Security discloses four critical n8n flaws
On 2026-03-11, Pillar Security publicly detailed four critical n8n vulnerabilities, including CVE-2026-27577 and CVE-2026-27493, which can be exploited individually or chained for remote code execution. The disclosure also warned that attackers could extract the N8N_ENCRYPTION_KEY and decrypt stored credentials such as API keys, OAuth tokens, and database passwords.
Belgium warns users to patch critical n8n vulnerabilities immediately
On February 27, 2026, Belgium's Centre for Cybersecurity published an advisory warning about multiple critical vulnerabilities in n8n and urging immediate patching. This reflects broader government dissemination of the February n8n security issues.
n8n releases security updates for multiple critical flaws
On February 25, 2026, n8n released security updates addressing multiple critical vulnerabilities across several components and nodes, including RCE via the Merge Node, sandbox escapes, unauthenticated expression evaluation via the Form Node, and stored XSS issues. Users and administrators were advised to review the advisories and update affected versions.
n8n publishes advisory for arbitrary file read by authenticated users
On 2026-02-04, n8n published a GitHub security advisory for an improper file access controls vulnerability that allowed authenticated users to read arbitrary files. This was a separate vendor disclosure from the other n8n advisories and third-party research released the same day.
n8n publishes Community Package Installation command injection advisory
On 2026-02-04, n8n published a GitHub security advisory for a command injection vulnerability affecting Community Package Installation. The advisory introduced a separate flaw from the same day's SSH Node arbitrary file write issue and Pillar Security's sandbox-escape disclosures.
Pillar Security discloses critical n8n sandbox-escape flaws
On 2026-02-04, Pillar Security publicly disclosed two critical sandbox-escape vulnerabilities in n8n, including CVE-2026-25049, that allowed authenticated workflow editors to achieve remote code execution and compromise self-hosted and cloud deployments. The report said n8n acknowledged the issues, rotated secrets, and later delivered a comprehensive fix in version 2.4.0 after an initial December 2025 fix was bypassed.
n8n publishes SSH Node arbitrary file write advisory
On 2026-02-04, n8n published a GitHub security advisory for an Arbitrary File Write vulnerability affecting the SSH Node that could enable writes on remote systems. This was a separate vendor advisory distinct from the same-day Pillar Security sandbox-escape disclosure and preceded the broader February security update roundup.
JFrog discloses n8n Expression Node remote code execution flaw
On 2026-01-27, JFrog Security Research published a disclosure about a remote code execution vulnerability affecting n8n's Expression Node. The report introduced a distinct technical disclosure separate from earlier January PoC reporting and later February sandbox-escape disclosures.
Canada issues alert on high-severity n8n vulnerabilities
On January 12, 2026, the Canadian Centre for Cyber Security published Alert AL26-001 warning about CVE-2026-21858, CVE-2026-21877, and CVE-2025-68613 affecting the n8n workflow automation platform. The alert described risks including arbitrary code execution and arbitrary file writes, and urged organizations to upgrade or restrict exposed webhook and form endpoints.
Public PoCs emerge for critical n8n vulnerabilities
Public proof-of-concept exploits became available for multiple n8n flaws, including a chain using CVE-2026-21858 and CVE-2025-68613 to achieve unauthenticated remote code execution by extracting sensitive data and executing commands on the server.
Critical unauthenticated n8n server-takeover flaw publicly reported
On 2026-01-08, public reporting highlighted a critical n8n vulnerability that could allow unauthenticated attackers to take over exposed servers. This represents an earlier public disclosure of the flaw later reflected in subsequent PoC activity and government warnings.
Public GitHub PoC released for CVE-2025-68613 in n8n
On 2025-12-26, a public GitHub repository published exploit code, scanning tools, and research for CVE-2025-68613, a critical expression-injection flaw in n8n. The release made practical exploitation guidance publicly available ahead of later broader reporting on multiple n8n PoCs.
n8n publishes advisory for Legacy Code node file read/write flaw
On 2025-12-24, n8n published a GitHub security advisory for a vulnerability in the Legacy Code node that could enable file read and write access in self-hosted deployments. The advisory introduced a distinct security issue not reflected in the existing timeline entries.
n8n publishes advisory for Git Node pre-commit hook RCE
On 2025-10-30, n8n published a GitHub security advisory for a remote code execution vulnerability in the Git Node involving the pre-commit hook. The advisory represents an earlier distinct disclosure affecting n8n and is separate from later multi-node critical flaw reports.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
37 references tracked. Mallory keeps watching after this page renders.
Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE
cybersecuritynews.com
Open sourcen8n security advisory (AV26-459) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceXML Node Prototype Pollution Patch Bypass · Advisory · n8n-io/n8n · GitHub
github.com
Open sourceArbitrary File Read via Git Node · Advisory · n8n-io/n8n · GitHub
github.com
Open sourceCritical n8n bug allows unauthenticated server takeover
theregister.com
Open sourceGitHub - TheStingR/CVE-2025-68613-POC: Public PoC + Scanner and research for CVE-2025-68613: Critical RCE in n8n Workflow Automation via Expression Injection (CVSS 10.0). Includes detection tools, full exploit, and remediation guidance. · GitHub
github.com
Open sourceLegacy Code node enables file read/write in self-hosted n8n · Advisory · n8n-io/n8n · GitHub
github.com
Open sourceRemote Code Execution via Git Node Pre-Commit Hook · Advisory · n8n-io/n8n · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple n8n Vulnerabilities Enable RCE, Sandbox Escapes, and Stored XSS
Security researchers and CVE disclosures reported multiple vulnerabilities in the *n8n* workflow automation platform that can enable **remote code execution (RCE)**, **sandbox escapes**, and **stored XSS** under various conditions. Akamai highlighted exploitation interest from **Zerobot** targeting n8n via **CVE-2025-68613**, a critical expression-evaluation sandboxing failure affecting versions `0.211.0` through `1.20.4` (and `1.21.1`/`1.22.0`), where a logged-in (non-admin) user could break out of the expression context to execute arbitrary code, read/write server files, steal environment variables (e.g., API keys), and establish persistence; a public PoC was noted as available. Subsequent advisories describe additional n8n flaws patched after the earlier expression-sandbox issue, generally requiring an authenticated user who can create/modify workflows, except where noted. **CVE-2026-27577** covers further expression-evaluation abuse leading to host command execution; **CVE-2026-27495** describes a **JavaScript Task Runner** sandbox escape that can lead to full host compromise when internal runners are used (enabled via `N8N_RUNNERS_ENABLED=true`), with external runner mode (`N8N_RUNNERS_MODE=external`) reducing blast radius; **CVE-2026-27497** describes potential RCE and arbitrary file write via the **Merge node** in SQL query mode; and **CVE-2026-27578** describes **stored XSS** across multiple nodes (e.g., Webhook/Form/Chat-related nodes) enabling session hijacking/account takeover when victims view affected pages. **CVE-2026-27493** adds a second-order, potentially **unauthenticated** expression injection path via **Form nodes** (triggered by crafted input beginning with `=` under specific workflow configurations) that can escalate to RCE only when chained with a separate sandbox escape. Fixes are reported in n8n `2.10.1` (and, depending on branch, `2.9.3` / `1.123.22`), with interim mitigations including restricting workflow edit permissions and disabling specific nodes via `NODES_EXCLUDE` (e.g., `n8n-nodes-base.webhook`, `n8n-nodes-base.merge`, `n8n-nodes-base.form`, `n8n-nodes-base.formTrigger`).
Mar 30, 2026
Critical n8n Expression Sandbox Escape Leading to Authenticated RCE (CVE-2026-25049)
A **critical remote code execution** issue in the *n8n* open-source workflow automation platform, tracked as **CVE-2026-25049** (also published as **GHSA-6cqr-8cfr-67f8**), allows an **authenticated** user with permission to create or modify workflows to escape n8n’s expression sandbox and execute arbitrary system commands on the underlying host. The flaw stems from **insufficient input sanitization/weak sandboxing** in n8n’s expression evaluation (server-side JavaScript) and was identified during follow-up analysis after an earlier critical n8n vulnerability (**CVE-2025-68613**) was patched; researchers report the new issue effectively **bypasses prior mitigations**. Reporting indicates exploitation can lead to **full compromise** of the n8n instance, including access to the filesystem and the ability to **steal stored credentials and secrets** (e.g., API keys, OAuth tokens) and sensitive configuration, with potential for **pivoting** into connected internal services and cloud accounts in multi-tenant deployments. Public reporting also notes **public exploits** are available. n8n maintainers state the issue is patched, and affected organizations should upgrade to fixed releases (**1.123.17** and **2.5.2**), as versions **prior to 1.123.17 and 2.5.2** are impacted.
Mar 21, 2026
Authenticated Sandbox-Escape RCE Vulnerabilities in n8n Workflow Automation
JFrog researchers disclosed two vulnerabilities in the *n8n* workflow automation platform that allow an **authenticated** attacker to escape built-in sandboxes and achieve **remote code execution (RCE)** on the main n8n node, potentially leading to full instance compromise and access to sensitive connected systems (e.g., APIs, credentials, and internal tooling). The issues are tracked as **CVE-2026-1470** (CVSS **9.9**) and **CVE-2026-0863** (CVSS **8.5**); exploitation is possible even in configurations where n8n runs in “internal” execution mode, which n8n documentation already warns is risky for production due to weaker isolation between the application and task runner processes. Technical details indicate both flaws are sandbox escapes driven by language/runtime edge cases: **CVE-2026-1470** abuses JavaScript expression sandboxing (including `with`-statement handling) to resolve a constructor path to `Function` and execute arbitrary JavaScript, while **CVE-2026-0863** escapes the Python task executor sandbox via Python introspection and runtime behavior (notably Python 3.10+ `AttributeError.obj`) to regain access to restricted builtins/imports and execute OS commands. Recommended remediation is to upgrade n8n to fixed versions (for **CVE-2026-1470**: `1.123.17`, `2.4.5`, or `2.5.1`; for **CVE-2026-0863**: `1.123.14`, `2.3.5`, or `2.4.2`).
Mar 21, 2026